Alex Deymo | d63084d | 2016-08-03 20:31:37 -0700 | [diff] [blame] | 1 | # update_engine payload application permissions. These are shared between the |
| 2 | # background daemon and the recovery tool to sideload an update. |
| 3 | |
| 4 | # Allow update_engine to reach block devices in /dev/block. |
| 5 | allow update_engine_common block_device:dir search; |
| 6 | |
| 7 | # Allow read/write on system and boot partitions. |
| 8 | allow update_engine_common boot_block_device:blk_file rw_file_perms; |
| 9 | allow update_engine_common system_block_device:blk_file rw_file_perms; |
Nick Kralevich | e844681 | 2018-10-23 11:57:54 -0700 | [diff] [blame] | 10 | |
| 11 | # Where ioctls are granted via standard allow rules to block devices, |
Nick Kralevich | 7b5e82a | 2018-10-23 12:28:40 -0700 | [diff] [blame] | 12 | # automatically allow common ioctls that are generally needed by |
| 13 | # update_engine. |
| 14 | allowxperm update_engine_common dev_type:blk_file ioctl { |
| 15 | BLKDISCARD |
| 16 | BLKDISCARDZEROES |
| 17 | BLKROGET |
| 18 | BLKROSET |
| 19 | BLKSECDISCARD |
| 20 | BLKZEROOUT |
| 21 | }; |
Alex Deymo | d63084d | 2016-08-03 20:31:37 -0700 | [diff] [blame] | 22 | |
| 23 | # Allow to set recovery options in the BCB. Used to trigger factory reset when |
| 24 | # the update to an older version (channel change) or incompatible version |
| 25 | # requires it. |
| 26 | allow update_engine_common misc_block_device:blk_file rw_file_perms; |
| 27 | |
Jeff Vander Stoep | a12aad4 | 2017-07-10 20:39:50 -0700 | [diff] [blame] | 28 | # read fstab |
| 29 | allow update_engine_common rootfs:dir getattr; |
| 30 | allow update_engine_common rootfs:file r_file_perms; |
| 31 | |
Alex Deymo | d63084d | 2016-08-03 20:31:37 -0700 | [diff] [blame] | 32 | # Allow update_engine_common to mount on the /postinstall directory and reset the |
| 33 | # labels on the mounted filesystem to postinstall_file. |
Tianjie Xu | 8f68705 | 2017-06-23 15:48:42 -0700 | [diff] [blame] | 34 | allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search }; |
Alex Deymo | d63084d | 2016-08-03 20:31:37 -0700 | [diff] [blame] | 35 | allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto }; |
Alex Light | 16dfb43 | 2021-03-11 11:26:08 -0800 | [diff] [blame] | 36 | allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom }; |
Alex Deymo | d63084d | 2016-08-03 20:31:37 -0700 | [diff] [blame] | 37 | |
| 38 | # Allow update_engine_common to read and execute postinstall_file. |
| 39 | allow update_engine_common postinstall_file:file rx_file_perms; |
| 40 | allow update_engine_common postinstall_file:lnk_file r_file_perms; |
| 41 | allow update_engine_common postinstall_file:dir r_dir_perms; |
| 42 | |
Jeff Vander Stoep | 790f4c7 | 2017-07-09 16:43:55 -0700 | [diff] [blame] | 43 | # install update.zip from cache |
| 44 | r_dir_file(update_engine_common, cache_file) |
Alex Deymo | d63084d | 2016-08-03 20:31:37 -0700 | [diff] [blame] | 45 | |
| 46 | # A postinstall program is typically a shell script (with a #!), so we allow |
| 47 | # to execute those. |
| 48 | allow update_engine_common shell_exec:file rx_file_perms; |
| 49 | |
| 50 | # Allow update_engine_common to suspend, resume and kill the postinstall program. |
Alex Deymo | b74017d | 2017-03-22 21:01:08 -0700 | [diff] [blame] | 51 | allow update_engine_common postinstall:process { signal sigstop sigkill }; |
Tri Vo | 04fb82f | 2017-10-04 10:34:11 -0700 | [diff] [blame] | 52 | |
Nick Kralevich | 9d9c370 | 2017-11-20 11:02:03 -0800 | [diff] [blame] | 53 | # access /proc/cmdline |
Tri Vo | 04fb82f | 2017-10-04 10:34:11 -0700 | [diff] [blame] | 54 | allow update_engine_common proc_cmdline:file r_file_perms; |
Tri Vo | 04fb82f | 2017-10-04 10:34:11 -0700 | [diff] [blame] | 55 | |
| 56 | # Read files in /sys/firmware/devicetree/base/firmware/android/ |
| 57 | r_dir_file(update_engine_common, sysfs_dt_firmware_android) |
Yifan Hong | 37427db | 2018-08-23 15:01:56 -0700 | [diff] [blame] | 58 | |
David Anderson | 483e70b | 2019-06-21 15:50:07 -0700 | [diff] [blame] | 59 | # Needed because libdm reads sysfs to validate when a dm path is ready. |
| 60 | r_dir_file(update_engine_common, sysfs_dm) |
| 61 | |
David Anderson | 5a0d5cc | 2021-04-07 21:51:33 -0700 | [diff] [blame] | 62 | # Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics. |
| 63 | allow update_engine_common sysfs:dir r_dir_perms; |
| 64 | allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms; |
| 65 | |
Yifan Hong | 37427db | 2018-08-23 15:01:56 -0700 | [diff] [blame] | 66 | # read / write on /dev/device-mapper to map / unmap devices |
| 67 | allow update_engine_common dm_device:chr_file rw_file_perms; |
| 68 | |
| 69 | # apply / verify updates on devices mapped via device mapper |
| 70 | allow update_engine_common dm_device:blk_file rw_file_perms; |
| 71 | |
David Anderson | 09bb944 | 2020-11-13 00:45:59 -0800 | [diff] [blame] | 72 | # read /dev/dm-user, so that we can inotify wait for control devices to be |
| 73 | # asynchronously created by ueventd. |
| 74 | allow update_engine dm_user_device:dir r_dir_perms; |
David Anderson | b7bb3d0 | 2022-07-21 12:45:20 -0700 | [diff] [blame] | 75 | allow update_engine dm_user_device:chr_file r_file_perms; |
David Anderson | 09bb944 | 2020-11-13 00:45:59 -0800 | [diff] [blame] | 76 | |
Yifan Hong | 37427db | 2018-08-23 15:01:56 -0700 | [diff] [blame] | 77 | # read / write metadata on super device to resize partitions |
Yifan Hong | ab85caa | 2019-03-22 13:55:13 -0700 | [diff] [blame] | 78 | allow update_engine_common super_block_device_type:blk_file rw_file_perms; |
Yifan Hong | 8d32223 | 2018-11-13 16:23:38 -0800 | [diff] [blame] | 79 | |
| 80 | # ioctl on super device to get block device alignment and alignment offset |
Yifan Hong | ab85caa | 2019-03-22 13:55:13 -0700 | [diff] [blame] | 81 | allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; |
Yifan Hong | 8d32223 | 2018-11-13 16:23:38 -0800 | [diff] [blame] | 82 | |
| 83 | # get physical block device to map logical partitions on device mapper |
| 84 | allow update_engine_common block_device:dir r_dir_perms; |
xunchang | 0ad3e4f | 2018-12-07 00:14:17 -0800 | [diff] [blame] | 85 | |
| 86 | # Allow update_engine_common to write to statsd socket. |
| 87 | unix_socket_send(update_engine_common, statsdw, statsd) |
Yifan Hong | 20010d1 | 2019-07-25 13:28:19 -0700 | [diff] [blame] | 88 | |
| 89 | # Allow to read Virtual A/B feature flags. |
| 90 | get_prop(update_engine_common, virtual_ab_prop) |
Yifan Hong | 07a99e1 | 2019-08-07 13:01:15 -0700 | [diff] [blame] | 91 | |
Yifan Hong | cb23ab4 | 2020-09-21 20:04:00 -0700 | [diff] [blame] | 92 | # Allow to read GKI related flags. |
| 93 | get_prop(update_engine_common, ab_update_gki_prop) |
Yifan Hong | 6bb5a76 | 2020-10-06 17:52:17 -0700 | [diff] [blame] | 94 | get_prop(update_engine_common, build_bootimage_prop) |
Yifan Hong | cb23ab4 | 2020-09-21 20:04:00 -0700 | [diff] [blame] | 95 | |
Yifan Hong | 07a99e1 | 2019-08-07 13:01:15 -0700 | [diff] [blame] | 96 | # Allow to read/write/create OTA metadata files for snapshot status and COW file status. |
Yifan Hong | b34ede0 | 2020-03-02 18:19:15 -0800 | [diff] [blame] | 97 | allow update_engine_common metadata_file:dir search; |
Yifan Hong | 07a99e1 | 2019-08-07 13:01:15 -0700 | [diff] [blame] | 98 | allow update_engine_common ota_metadata_file:dir rw_dir_perms; |
| 99 | allow update_engine_common ota_metadata_file:file create_file_perms; |